Security Assumptions are dangerous

Anyone who steals the identity of a user becomes that user and has access to their most sensitive systems and data. If just one user’s identity is compromised, corporate systems are vulnerable. This is the threat posed by “corporate identity theft”.

Identity theft takes many forms – exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing and so on. Not every attacker is sitting at home with their computer, trying to break in to the corporate web site. Sometimes all they have to do is call up and ask! As Dorothy Denning, author of Information Warfare and Security said, “Any medium that provides one-to-one communications between people can be exploited, including face-to-face, telephone and electronic mail. All it takes is to be a good liar.”

Organisations make very dangerous assumptions about the security of data on their networks. No-one considers, or more importantly tests, who might be able to view or steal mergers and acquisitions data, business plans, payroll information or BACS payments. On a typical corporate Windows network, anyone with an administrator account can see or copy anything. Putting information on a network server is not the same as locking it in your desk drawer.

This blog post is an excerpt of an opinion piece called "Identity Theft in The Corporate World" written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk